System and method for network-based object authentication

ABSTRACT

A method is provided for determining whether an object is an authentic object to which an expected encoded image has been applied. The expected encoded image having been constructed by encoding an authentication image using a set of one or more encoding parameters. The method comprises receiving a digital image of at least a portion of the test object including a target area where the expected encoded image would be applied if the test object is an authentic object. The method further comprises determining the one or more encoding parameters and applying a digital decoding algorithm to the captured digital image to establish a decoding result. The decoding result may then be compared to object authentication criteria to establish an authentication result. In particular embodiments of the invention, the actions of receiving, determining, applying and comparing are carried out by an authentication server and the digital image is received from an inspection processor over a network.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation-in-part of U.S. application Ser. No.11/068,350, filed Feb. 28, 2005, which claims priority to U.S.Provisional Application No. 60/565,300, filed Apr. 26, 2004, both ofwhich are incorporated herein by reference in their entirety. Theapplication is also related to U.S. application Ser. No. 10/847,962('962 Application) filed May 18, 2004 and U.S. application Ser. No.10/897,943 ('943 Application) filed May 18, 2004, each of which isincorporated herein by reference in its entirety.

FIELD OF THE INVENTION

The invention relates generally to the field of counterfeit protection,and more particularly to the field of object authentication through theuse of an encoded image.

BACKGROUND OF THE INVENTION

Document falsification and product counterfeiting are significantproblems that have been addressed in a variety of ways. One of the moresuccessful approaches has been the use of latent or hidden imagesapplied to or printed on objects to be protected. These images aregenerally not viewable without the assistance of specialized devicesthat render them visible.

One approach to the formation of a latent image is to optically encodethe image so that, when printed, the image can be viewed only throughthe use of a corresponding decoding device. Such images may be used onvirtually any form of printed document including legal documents,identification cards and papers, labels, currency, stamps, etc. They mayalso be applied to goods or packaging for goods subject tocounterfeiting.

Objects to which an encoded image is applied may be authenticated bydecoding the encoded image and comparing the decoded image to anexpected authentication image. The authentication image may includeinformation specific to the object being authenticated or informationrelating to a group of similar objects (e.g., products produced by aparticular manufacturer or facility). Production and application ofencoded images may be controlled so that they cannot easily beduplicated. Further, the encoded image may be configured so thattampering with the information on the document or label is readilyapparent.

Authentication of documents and other objects “in the field” hastypically required the use of hardware decoders such as lenticular ormicro-array lenses that optically decode the encoded images. Theselenses must have optical characteristics that correspond to theparameters used to encode and apply the authentication image and must beproperly oriented in order for the user to decode and view the image.

Because they can only be used for encoded images with correspondingcharacteristics, hardware decoders are relatively inflexible tools.There are also circumstances where the use of an optical decoder todecode encoded images is impractical or undesirable. For example,authentication using an optical decoder requires immediate on-sitecomparison of the decoded image to the authentication image. Thisrequires that the on-site inspector of the object being authenticatedmust be able to recognize differences between the decoded image and theexpected authentication image. This is impractical in instances wherethere are many possible variations in the expected authentication image.It also may be undesirable for the on-site inspector to have access toinformation that may be embedded in the decoded image.

SUMMARY OF THE INVENTION

The present invention provides systems and methods for authenticatingdocuments and other objects through the use of encoded images that canbe scanned and decoded without the use of a hardware-based decoder.

An aspect of the invention provides a method for determining whether anobject is an authentic object to which an expected encoded image hasbeen applied. The expected encoded image having been constructed byencoding an authentication image using a set of one or more encodingparameters. The method comprises receiving a digital image of at least aportion of the test object including a target area where the expectedencoded image would be applied if the test object is an authenticobject. The method further comprises determining the one or moreencoding parameters and applying a digital decoding algorithm to thecaptured digital image to establish a decoding result. The decodingresult may then be compared to object authentication criteria toestablish an authentication result. In particular embodiments of theinvention, the actions of receiving, determining, applying and comparingare carried out by an authentication server and the digital image isreceived from an inspection processor over a network.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention can be more fully understood by reading the followingdetailed description together with the accompanying drawings, in whichlike reference indicators are used to designate like elements, and inwhich:

FIG. 1 is an illustration of the use of an optical decoder to decode aprinted encoded image;

FIG. 2 is a flowchart of a method of authenticating an object accordingto an embodiment of the invention;

FIG. 3 is a schematic illustration of an object authentication systemaccording to an embodiment of the invention;

FIG. 4 is a schematic illustration of a network-based objectauthentication system according to an embodiment of the invention;

FIG. 5 is a schematic representation of a digital decoding system thatmay be used in embodiments of the invention;

FIG. 6 is a schematic representation of a network-based decoding systemthat may be used in embodiments of the invention;

FIG. 7 is a schematic representation of a network-based decoding systemthat may be used in embodiments of the invention; and

FIG. 8 is a flow diagram of a network-based method of providing aninteractive image decoding service to a user.

DETAILED DESCRIPTION OF THE INVENTION

The present invention provides systems and methods for authenticatingdocuments, commercial products and other objects using opticallydecodable encoded images. The methods of the invention provide fordigitally capturing an encoded image applied to the object to beauthenticated. This may be done using a scanner or other imaging deviceto produce a captured digital image. A data processor equipped with adigital decoder may then be used to identify and decode the encodedimage from the captured digital image and to extract indicia and/orinformation from the decoded result. The extracted indicia and/orinformation may then be used to authenticate the object or document towhich the encoded image was applied. In some embodiments, the decodedimage need never be viewed by a human being. In some embodiments, theencoded image may be captured by an on-site inspector who transmits thecaptured image to a separate processor (or series of processors) wherethe image is decoded and, optionally, compared to an expectedauthentication image. The results may then be returned to the on-siteinspector or other authorized personnel. Other embodiments andvariations will be apparent from the following discussion.

As previously discussed, the authentication methods of the inventionmake use of encoded images that are typically embedded in a backgroundor source image and printed on items that may be subject to alteration,falsification or counterfeiting. As used herein, the term “encodedimage” refers to an image that is manipulated and/or hidden within abackground field or within another image in such a way that when appliedor printed, the encoded image cannot be discerned by the human eyewithout the use of a decoding device. Some encoded images are hidden sothat their presence is difficult to discern from a background or primaryimage. Other encoded images are easily visible but are unreadablebecause the image content has been systematically scrambled or otherwisemanipulated.

Encoded images of particular significance to the present invention arethose that are configured to be optically decoded using a lens-baseddecoding device. Such images take advantage of the ability of certaintypes of lenses (e.g., a lenticular lens) to sample image content basedon their optical characteristics. For example, a lenticular lens can beused to sample and magnify image content based on the lenticulefrequency of the lens. The images used are typically encoded by one ofseveral methods that involve establishing a regularized periodic patternhaving a frequency corresponding to that of the lenticular lens to beused as a decoder, then introducing distortions of the pattern thatcorresponds to the content of the image being encoded. These distortionsmay be made so small as to render the image difficult or impossible todiscern from the regularized pattern with the naked eye. Encoded imagesof this type can be produced in an analog fashion using specializedphotographic equipment as disclosed in U.S. Pat. No. 3,937,565 ordigitally as is disclosed in U.S. Pat. No. 5,708,717 ('717 Patent), bothof which are incorporated herein by reference in their entirety.

Digitally encoded images can be embedded into a background or into otherimages so that the mere presence of the encoded image is difficult todiscern. With reference to FIG. 1, an encoded image 10 may beestablished using a primary or source image 20 and a secondary image 40,which is embedded into the primary image 20 in such a way that thesecondary image 40 can only be viewed with a decoding device 3030 of apredetermined frequency. The primary image may be a blank gray orcolored background image as in the encoded image 10 of FIG. 1 or mayinclude visible image content such as a design or photograph or anyother form of indicia. The secondary image may also be any form of imageor indicia and may include indicia related in some way to the primaryimage. In the example encoded image 10, the secondary image 40 is arepeating pattern based on the words “Department of Transportation.” Thesecondary image can be separately encoded then merged or embedded intothe primary image or the process of embedding may be accomplished insuch a way that the secondary image is encoded as it is embedded. Asshown in FIG. 1, the secondary image may be viewed by placing thedecoding device 30 over the encoded image 10 at the correct orientation.In the example of FIG. 1, the decoding device has a horizontal axis 32and a vertical axis 34 and the encoded image 10 has a horizontal axis 22and a vertical axis 24. The secondary image 40 is revealed when thehorizontal axis 32 of the decoding device 30 is oriented at the decodingangle α with respect to the horizontal axis 22 of the encoded image 10.The decoding angle α is an encoding parameter that is established priorto encoding and embedding the secondary image.

The methods by which the secondary image is embedded or merged with theprimary image can be divided into two general approaches. In the firstapproach, a regularized periodic behavior is imposed on the primaryimage using a predetermined frequency. This is primarily accomplished byrasterizing the primary image at the predetermined frequency. Thesecondary image is then mapped to the primary image so that theregularized behavior of the primary image can be altered at locationscorresponding to those in the secondary image that include imagecontent. The alterations are small enough that they are difficult forthe human eye to discern. However, when a lenticular lens having afrequency corresponding to the predetermined frequency is placed overthe primary image, it will sample the primary image content in such away that the alterations are brought out to form the latent secondaryimage.

In the second approach, the regularized periodic behavior is firstimposed on the secondary image rather than the primary image, withalterations in that behavior occurring wherever there is content in thesecondary image. The secondary image is then mapped to the primary imageand the content of the primary image altered pixel by pixel based on thecontent of the encoded secondary image.

Another method of embedding an image is commonly used in banknotes andchecks. In this method, a latent image is created by changing thedirection of raster elements in the visible images at positionscorresponding to the content in the hidden image. For example, verticalraster lines in the primary image may be changed to horizontal lines atthe locations corresponding to the latent image. The latent image cantypically be seen by tilting the banknote slightly. However, thedeviations in the primary image can also be decoded using an opticaldecoder. This is because the raster lines of the primary image will runalong the length of the lenticular line of the decoder at the positionswhere there is no hidden content, but will have only a cross section atthe positions where there is a hidden content. This difference makes thehidden image appear much brighter than the visible when viewed throughthe decoder.

The common thread of all of the above graphical encoding methods andtheir resulting encoded images is that they involve deviations fromregular periodic behavior (e.g., spatial location, tone density, rasterangle). The regular periodic behavior and the deviations therefrom maybe established based on the encoding methodology used and apredetermined set of encoding parameters. The deviations are madeapparent through the use of a decoder having characteristics thatcorrespond to one or more of the encoding parameters. For example, oneof the encoding parameters may be the frequency of the regular periodicbehavior. The decoder (whether hardware or software-based) must beconfigured according to that frequency. For example, in the case of alenticular lens, the lens frequency is established so that the frequencyof the regular periodic behavior is equal to the lens frequency or aneven multiple of the lens frequency. The lenticular lens may then act asa content sampler/magnifier that emphasizes the deviations from theregularized behavior and assembles them into the secondary image.

A lenticular lens can be used to decode both visible encoded imageswhose content has been systematically scrambled and encoded imagesembedded into a primary image or background. As described in U.S. patentapplication Ser. No. 11/068,350, ('350 Application) however,software-based decoders can also be used to decode encoded images thathave been digitally created or captured. These decoders may be adaptedto decode any digital version of an optically encoded image includingdigital encoded images that have never been printed and printed encodedimages that have been scanned or transformed by other means into digitalform. The digital encoded images may be latent images embedded intobackground or primary images or may be visible images that have beensystematically scrambled or manipulated. The primary image may be ablank image with no discernible content (e.g., a gray box) or may be anactual image with discernible content.

Software for digitally decoding digital encoded images may beincorporated into virtually any data processor. For the purpose ofpracticing the authentication methods of the present invention, thesoftware may use any decoding methodology including, but not limited to,the methods described in the '350 Application. This includes (1) methodsthat require information on the content of the primary image, thesecondary image or both the primary and secondary images; and (2)methods that do not require any foreknowledge regarding image content.Both of these method types require knowledge of the encoding parametersused to encode and embed the secondary image.

As described in the '350 Application, printed encoded images may bescanned or digitally captured using an image acquisition device. As usedherein, the term “image acquisition device” means any device or systemused to capture or produce a digitized image of a document or object ortarget portions thereof. Image acquisition devices include but are notlimited to scanners, digital cameras, and systems having a combinationof an analog camera and a frame grabber. The image acquisition devicemay be adapted for capturing images using light in the visible ornon-visible (e.g., UV and IR) portions of the electromagnetic spectrum.

A captured encoded image (i.e., a printed encoded image that has beenscanned or otherwise digitally captured using an image acquisitiondevice) may be processed by a decoding processor adapted to apply one ormore software-based decoding algorithms to produce a decoding result.Using such methods as optical character recognition (OCR), the decodingprocessor may also be adapted to extract indicia and/or information fromthe decoded image and to compare the extracted indicia and/orinformation to predetermined authentication criteria. As will bediscussed, the decoding processor may be at a location remote from theimage acquisition device.

With reference now to FIG. 2, a basic authentication method M100according to the present invention makes use of the ability to digitallydecode a captured encoded image. The method M100 may be used to inspecta test object to determine if an expected encoded image has been appliedthereto, the expected encoded image having been applied to all authenticobjects. As used herein, the term “authentic” typically indicates thatan object was produced by an authorized source or in an authorizedmanner. The expected encoded image is an encoded version of apredetermined authentication image. The expected encoded image may bethe same for every object being tested or may be a variable encodedimage that is different for each object. Any object not carrying theexpected encoded image may be assumed to be indicative ofnon-authenticity or indicative that the object or indicia appliedthereto has not been altered.

The method M100 begins at S100 and at S110 a digital image of the testobject is captured using an image acquisition device. The captureddigital image may include all or a portion of the object as long as itincludes a target area where the expected encoded image would be appliedon an authentic object. The captured digital image may be configured sothat only the target area is captured or may be configured so that thetarget area is included in a larger view. In either case, the capturedimage may also include identifiable orientation marks that allow theidentification and proper orientation of the target area portion of thecaptured digital image. At S120, the captured digital image is sent toan authentication processor. As will be discussed, some or all of theauthentication processor may be co-located with the inspection site(i.e., the location where the digital image of the test object iscaptured) and some or all of the authentication processor may be remotefrom the inspection site. In either case, the authentication processormay be connected to the image acquisition device over a network.

The authentication processor may be configured to automatically carryout some or all of the remaining steps of the method M100. At S130, theauthentication processor determines one or more of the encodingparameters that were used to encode the authentication image to producethe expected encoded image. The number of parameters required may dependon the specific digital decoding methodology used. The encodingparameters may be obtained from data storage where they are placed atthe time of encoding. This data storage may be a part of or co-locatedwith the authentication processor or may be disposed in a separatedatabase processor or server accessible to the authentication processorover a network. The data storage may also take the form of a magneticstripe, laser card, smart card, processor chip, memory chip or bar code,which can be applied or attached to or otherwise associated with anobject to which an encoded image is applied. The encoding parameters andor the authentication image may be object-specific or may be constantfor a particular set of objects. In some embodiments, some or all of theencoding parameters may be received with an encoding request ordetermined from the content of the image.

At S140, the authentication processor may use object landmarks to orientthe target area of the captured digital image for decoding. Theselandmarks may be based on the inherent geometry of the object or may bespecifically applied at the time the encoded image is applied toauthentic objects. In the latter case, the presence of such landmarkscould be used as an initial authentication check. It will be understoodby those of ordinary skill in the art that if the digital image iscaptured in such a way that the object is always oriented in exactly thesame way relative to the image acquisition device, there may be no needfor digital orientation of the captured image. For example, if the testobjects are documents that can be precisely positioned for scanning, theorientation of the target area may be sufficiently constant thatorientation of the captured digital image is unnecessary.

Once the target area of the captured digital image is oriented, theauthentication processor applies a digital decoding methodology to thecaptured digital image to produce a decoding result at S150. Thedecoding result may then be compared to authentication criteria todetermine an authentication result at S160. This may be accomplished bydisplaying the decoding result for visual comparison to theauthentication image. Alternatively, OCR or other pattern recognitionsoftware can be used to compare the decoding result to theauthentication image. In instances where the authentication imagecontains information that is object-specific, the information content ofthe decoding result may be compared to information derived directly fromthe object rather than to the original authentication image.

At S170, an authentication determination is made based on the comparisonof the decoding result to the authentication criteria. Thisdetermination may be made by a human reviewer of the decoding result ormay be made automatically by the authentication processor. In either,case, the authentication result may be stored and/or returned to a useror other authorized requestor(s). In embodiments where theauthentication determination is made at a location remote from theinspection site, the authentication determination may be transmitted tothe inspection site. The method ends at S180.

With reference to FIG. 3, the method M100 and other methods according tothe invention may be carried out using an object authentication system100 comprising a digital image acquisition device 110 and anauthentication processor 120. The object authentication system 120 mayalso comprise an encoding information database 130 that may be includedin or in communication with the authentication processor 120. The objectauthentication system 100 is configured for inspection andauthentication of test objects to verify the presence of an encodedauthentication image thereon. Some or all of the encoding parameters andthe authentication image used to encode the authentication image may bestored in the encoding information database 130 so that they areaccessible to the authentication processor 120.

The image acquisition device 110 may be any device adapted for recordinga digital image of at least a portion of the test object containing atarget area in which, on authentic objects, an encoded authenticationimage will have been applied. The authentication processor 120 may beany data processor configured for receiving and processing digitalimages. The authentication processor 120 includes an image receivingmodule 122 adapted for selective communication with the imageacquisition device 110 and for receiving captured digital imagestherefrom. The image receiving module 122 transfers the captured digitalimages to an image processing module 124. The captured digital image mayalso be stored in a database in the authentication processor. The imageprocessing module 124 may be adapted for performing any preprocessingrequired before the captured digital image can be digitally decoded.This may include identifying landmarks in the target area and orientingthe captured digital image accordingly.

The authentication processor 120 also includes a decoding module 126 andan authentication module 128. The decoding module 126 may be programmedwith digital decoding software adapted for performing one or moredecoding algorithms on the captured digital image to produce a decodingresult. The decoding module 126 may obtain from the encoding informationdatabase any information (e.g., the authentication image and encodingparameters) needed for decoding the captured encoded image. The decodingresult may be passed to the authentication module 128, which comparesthe decoding result to one or more authentication criteria to establishan authentication result. The decoding result, the authentication resultor both may be stored in memory, or in a local or remote database, ordisplayed for use by an on-site inspector or other user.

The components of the authentication system 100 may be interconnectedvia any suitable means including over a network. The authenticationprocessor 120 may take the form of a portable processing device that maybe carried by an individual inspector along with a hand-held imageacquisition device (e.g., a portable scanner or digital camera). In someembodiments of the invention, the image acquisition device and theauthentication processor may actually be integrated into a single unit.Alternatively, the inspector may carry only a digital acquisition device110 that is selectively connectable to a remotely located authenticationprocessor 120. For example, a scanning device may be configured to senda captured image to the authentication processor by electronic mail. Inanother example, a wireless phone with imaging capability can be used tocapture an image and forward it to the authentication processor over atelecommunications network. A practical application of this aspect is ascenario in which a potential purchaser of a product captures an imageof the product using a camera phone and phones in an authenticationrequest to an authentication processor. The authentication result couldbe returned to the requestor over the phone network in, for example, atext message.

The authentication system 100 is well adapted for use in authenticatinga large number of similar objects such as, for example, packaged itemsin a warehouse or a large number of similar documents. Theauthentication processor 120 may be adapted so that information relatingto individual objects may be entered or derived from the captureddigital image. This allows the association of the captured digital imagewith the particular object. This, in turn, allows the retrieval ofobject-specific encoding information, which may be required for decodingthe captured encoded image or for determining an authentication result.

It will be understood that if the encoding information is notobject-specific, a group of test objects with the same expected encodedimage can be authenticated by the authentication processor 120 using asingle set of encoding information. This set of encoding information canbe obtained from the encoding information database 130 once and storedin the memory of the authentication processor 120 where it is accessibleto the decoding and authentication modules 126, 128.

The functions of the authentication processor need not be carried out ona single processing device. They may, instead be distributed among aplurality of processors, which may be interconnected over a network.Further, the encoding information required for decoding the capturedencoded images taken from test objects and the decoding andauthentication results may be stored in databases that are accessible tovarious users over the same or a different network. With reference toFIG. 4, an authentication system 200 comprises one or more inspectionprocessors 220, an authentication server 240 and a database server 250in selective communication with one another via one or more networks230, 270, 280.

Each inspection processor 220 is in communication with one or moreassociated image acquisition devices 210 adapted for capturing digitalimages of at least a portion of test objects to be authenticated. Eachinspection processor 220 may include an image receiving module 222adapted for receiving captured digital images from the data acquisitiondevice 210. The inspection processor 220 may also include a datatransmission module 224 adapted for transmitting an authenticationrequest including the captured digital image to the authenticationserver 240 over a first network 280. Alternatively, the transmissionmodule may transmit the captured digital image to the database server250 for later authentication. The inspection processor 220 may beconfigured for entry of data associated with the object from which aparticular digital image has been captured. Alternatively, theinspection processor may be provided with software for processing thecaptured digital image to identify and store information related to theobject. For example, the captured digital image may include recognizableindicia such as a bar code or numerical identifier which can be decodedto provide information relating to the object.

The inspection processor 220 may optionally include its own imageprocessing, decoding and authentication modules similar to thosepreviously described for the authentication processor 120 ofauthentication system 100. Decoding and authentication results producedby the inspection processor may be compared to results obtained from theauthentication server or may be stored for later use. To facilitateimage decoding, the inspection processor 220 may be configured toretrieve encoding parameters and/or authentication images from thedatabase server 250 over a second network 230, which may be the same asthe first network 280.

The transmission module 224 may be adapted for transmitting theauthentication request over the first network 280. In addition to thecaptured digital image, the transmission request may include additionalinformation associated with the object from which the digital image wascaptured. This may include any decoding or authentication resultproduced by the inspection processor 220. The captured digital image andany associated information may be transmitted directly to theauthentication server 240 or may be temporarily stored on the databaseserver 250 or another server for later access by the authenticationserver 240. The authentication request may also include additionalinformation such as information relating to the particular inspectionprocessor and/or the inspector/user, user security information (e.g.,user name and password), the location of the inspection site, etc.

The authentication server 240 may comprise a data receiving module 242configured for receiving the captured digital image and associatedinformation from the inspection processor 220. The data receiving module242 may alternatively or additionally be configured for retrieving suchinformation from the database server 250 over the second network 230 ora different network. The data receiving module 242 may be adapted toverify user credentials and provide a request acknowledgment back to theinspection processor. The data receiving module 242 may also beconfigured to transmit a denial of the authentication request if theuser credentials or security information provided indicate that therequest does not meet predetermined authorization criteria.

The authentication server 240 includes image processing, decoding andauthentication modules 244, 246, 248 similar to those previouslydescribed for the authentication processor 120 of authentication system100. Upon establishing that the authentication request was obtained froman authorized user and is associated with an object for which associatedencoding information is available, the data receiving module passes thecaptured digital image to the image processing module 244 to initiatethe decoding process. One or more of the authentication server modules242, 244, 246, 248 may be adapted for retrieving information stored inthe database server 250. The database server 250 may include an encodinginformation server 252, on which may be stored some or all of theauthentication image and encoding parameters used to encode theauthentication image associated with the objects being authenticated. Itwill be understood that such encoding information may be stored for alarge number of unrelated authenticable objects and object groups for avariety of client users. The information is retrieved based on theobject information provided with the authentication request or derivedfrom the captured digital image itself. The retrieved information may beused by the decoding module 246 to produce a decoding result and by theauthentication module 248 to produce an authentication result.

The authentication server 240 may also comprise a result transmissionmodule 249 adapted to assemble and transmit an authentication requestresponse including the authentication result. In some embodiments, therequest response may also include the decoding result and/or otherobject-related information. The request response may be transmitted tothe inspection processor 220 or other previously designated recipientvia the first network 280. The authentication result, decoding result,or both may alternatively or in addition be transmitted over the secondnetwork 230 for storage in an authentication database 254. Theauthentication database 254 may reside on the database server 250 oranother server connected to the network 230. The authentication database254 may be made selectively accessible to one or more authenticationmonitoring processors 260 over a third network 270. This allowsauthorized users to access the authentication database to monitorindividual and cumulative authentication information and statistics.

It will be understood that the networks 230, 270 and 280 may be the sameor different networks. Any or all of these may be any form of local orwide area network. Any or all may, for example, be or include theInternet to allow a large number of widespread users. Network 280 mayalso be a telecommunications network over which digital images may betransmitted from image acquisition devices such as camera phones. Itwill also be understood that the modules and functions of theauthentication server 240 may be distributed among multipleinterconnected servers and processors.

The authentication systems of the invention are highly flexible and canbe used in a wide variety of authentication scenarios. In a typicalscenario, an encoded authentication image is applied to the packaging ofa client manufacturer's product that is subject to counterfeiting ortampering. An on-site inspector equipped with a portable inspectionprocessor and an image acquisition device may be dispatched to a sitesuch as a warehouse where a group of packaged products are stored. Theinspector may use the image acquisition device to scan or otherwisecapture a digital image of the target area of a suspect product package.Additional information such as date, time, location, product serialnumber, etc., may be entered by the inspector. Some of this informationmay alternatively be entered automatically by the inspection processor.If the inspection processor is equipped with its own decoding andauthentication software, the inspector may authenticate the suspectproduct immediately. Alternatively or in addition, the inspectionprocessor may be used to submit an authentication request to a remoteauthentication server. Authentication requests may be sent on anindividual item basis. Alternatively, captured authentication images andassociated product information may collected for multiple test items andsubmitted as part of a single authentication request. This would allow,for example, the inspection processor to be used independently of anetwork connection to collect authentication data from a plurality oftest items, then connect to the network (e.g., by logging into anInternet website) for submitting a single batch authentication request.

Upon receiving the authentication request from the inspection processor,the authentication server validates the request, retrieves any requiredimage encoding information from the encoding information database andprocesses the captured digital image. The captured image is decoded andcompared to retrieved authentication criteria to determine anauthentication result. The authentication result is then stored in theauthentication database. A representative of the manufacturer or otherauthorized user is then able to access the authentication results byconnecting to the authentication database. In some embodiments, this maybe accomplished by logging into a security-controlled website andsubmitting a request for authentication results for the test objects.

In some embodiments, the authentication server may be configured foraccess through a web site. Authorized users can log onto the web site,upload scanned images, and immediately receive an authentication resulton their browser. Results can also be stored in an authenticationdatabase for future reviews.

In some embodiments, a web-based authentication service may beimplemented using standards for interface and data representation, suchas SOAP and XML, to enable third parties to connect their informationservices and software to the authentication service. This approach wouldenable seamless authentication request/response flow among diverseplatforms and software applications.

As discussed above, the functions of the authentication systems and theactions of the authentication methods of the invention may be carriedout using a single data processor or may be distributed among multipleinterconnected processors. In some embodiments, for example, thedecoding and authentication functions may be carried out by differentprocessors. Aspects of decoding functions themselves may be carried outusing a single processor or a plurality of networked processors.

FIGS. 5-7 illustrate typical systems for decoding according to theinvention. With reference to FIG. 5, a system 300 for digital decodingof a captured digital image is a standalone system that may compriseonly a single decoding processor 310 and an image acquisition device320. The decoding processor 310 is configured to receive captureddigital images from the data acquisition device and process them asrequired to provide a decoding result. The decoding processor 310 may beconfigured with the software required for applying a particular decodingdigital methodology. Some or all of the encoding information required bythe decoding software may be stored in the decoding processor 310 and/ormay be provided by a user.

The decoding processor 310 will typically include a screen or printerthat allows the user of the stand-alone decoding system 300 to scan apackage or document and immediately see a decoded result. The result maybe stored or it may be used solely as an “on-the-spot” inspection systemin which the result can be discarded after viewing by theuser/inspector.

Another approach to the decoding system provides for the gathering ofmultiple captured images and associated article information, which canthen be sent in a batch to centralized decoding processor or server.With reference to FIG. 6, a decoding system 400 of this type maycomprise one or more inspection stations each having an imageacquisition device 420 in communication with an inspection processor 410having an image processing application resident thereon. In a typicalembodiment, the image acquisition device 420 may be a scanner and theimage processing application is configured for receiving scanned imagesfrom the scanner. Scanned images may be transferred individually orcollectively to a data gathering processor 430. The data gatheringprocessor 430 may be in selective communication with the inspectionprocessor 410 over a network. In some embodiments, the inspectionprocessor 410 may be configured to gather and submit a plurality ofimages and associated object information at one time to the datagathering processor 430.

The scanned images may be transferred along with information relating tothe object or document scanned. The data gathering processor 430 may beadapted for receiving captured images and associated object informationfrom any number of inspection processors 410. The captured images andassociated object information may be gathered and submitted at the sametime to a decoding processor or server 450 over a network 440. In aparticular embodiment, the network 440 is the Internet and the decodingprocessor 450 is accessed via a webpage. Decoding results produced bythe decoding processor 450 may be accessed by a monitoring processor 470over a second network 460 that may be the same as the first network 440.

In a typical scenario for using a decoding system 400, inspectors scanpackage labels or documents using the image acquisition devices 420 andprovide appropriate information (e.g., the location where the packagewas collected, date and time, product serial number, etc.) for eachcaptured image. At the end of the work day, the scanned images andcorresponding data are batched to the decoding processor 450, where theyare decoded. The decoding results may be stored at the decodingprocessor or in a separate database. The decoding results are madeaccessible to authorized monitoring processors 470. In a particularembodiment, the decoding results may be received over the Internet andmay be viewed using a web browser, which displays all scanned anddecoded images, as well as the other data provided by inspectors at thetime of scanning.

The separation of data gathering and decoding enables distributedinformation gathering, and centralized, web based decoding. This alsoenables centralized storage of the decoding results and facilitatesautomated authentication. The results can be shared among members of aspecific user group (e.g., a brand protection team) and may be reviewedby their management. Analysis of the cumulative results can help in thedetection of global and local counterfeiting trends. It can also providean insight into the efficiency of the current deterrent measures in thedifferent markets. Another advantage of the separation and independenceof data gathering and decoding operations is that customers can hirecontractors for package scanning at certain markets, without revealingdetailed information about anti-counterfeiting features on the package.In addition, inspectors do not need uninterrupted network access—theyneed only connect to the decoding processor occasionally (e.g., at theend of a work day or work week).

In some cases, however, an inspector may need to authenticate a singleitem. If network access is available at the time the image is captured,the distributed approach to data gathering may unnecessarily delaydecoding and authentication. Further, the distributed approach mayrequire the presence of dedicated software to accommodate multiple fileuploads from the client's processor to the central processor and ensurethe integrity of this data exchange. An alternative model for singledecoding functionality is a network application that provides foruploading a single scanned file for decoding and immediately receivingand displaying a decoded image. This model is particularly useful in thecontext of an Internet-based system in which the inspector logs on to adecoding website using a web browser. Using the website, the inspectorcan upload a single captured image and receive/display a decoding resulton his browser. This approach would be widely usable by individualsneeding to authenticate a single packaged product. It could be used, forexample, by a pharmacist wanting to authenticate a single drug package,or a forensic examiner who wants to check a single banknote or ID card.The only required equipment would be a scanner (or other imageacquisition device) and a computer connectable to the Internet, Intranetor other communications network through which a decodingserver/processor can be reached.

FIG. 7 illustrates a network-based decoding system 500 according to anembodiment of the invention. The decoding system 500 may include one ormore inspection processors 510 in selective communication with thedecoding server 540 over a network 530. Each inspection processor 510may have an associated image acquisition device 520 for capturingdigital images and transferring them to the inspection processor 510. Itwill be understood that the image acquisition device 520 and theinspection processor 510 may be combined into a single processing unit.In a typical embodiment, the image acquisition device 520 is a scannerand the inspection processor 510 is configured for receiving a scannedimage from the scanner and selectively uploading it to the decodingserver 540.

The network 530 may be any communications network such as the Internet,an Intranet, or a cellular or other telecommunications network. In aparticular embodiment of the decoding system 500, the network 530 is theInternet and the inspection processor 510 is equipped with a web browserto establish communication with the decoding server 540 through awebsite administered by the decoding server 540. This provides thecapability for an interactive, web-based decoding process in which acaptured digital image is uploaded to the decoding server 540 where itis processed to provide a decoding result. The decoding result is thenreturned to the inspection processor for display or printing.

The decoding server 540 may include or have access to one or moredatabases in which encoding information is stored for use in applyingthe appropriate decoding methodology for a particular user. Thisinformation may be pre-associated with a product line or even specificproducts or documents. User information and/or access rules may also bestored so that the decoding server 540 can determine if a particularuser is entitled to logon on to the system or to receive a particulardecoding result.

A method of providing a digital image decoding service in an interactivenetwork-based session is illustrated in FIG. 8. The method begins atS200. At S210, a log-on page is transmitted to the inspection processorfor display via a web browser or similar application. At S220, a log-onrequest is received from the inspection processor. The log-on requestmay include a username and password and/or other required userinformation. At S230, the log-on information is reviewed to determine ifthe log-on is valid and a decoding session should be established. If thelog-on information is not associated with a valid user account or theassociated security information does not match information for thespecified user, the method proceeds to S232 where a check is performedto determine if a predetermined number of consecutive log-on failureshas been reached. If not, an error message may be transmitted and themethod returns to S210. The predetermined failure limit has beenreached, the user account is blocked at S234 and the method ends atS236.

If a valid log-on is received, the method proceeds to S240 whereencoding information is obtained based on information associated withthe user account and/or information supplied by the user interactively.User-supplied information may, for example, include product or documentidentification. The encoding information may be obtained from a databasein which such information is associated with user and/or productinformation. Certain encoding information may also be included in theuser-supplied information.

User-supplied information may be included in the log-on request or maybe provided in response to prompts transmitted to the user's inspectionprocessor. In a particular embodiment, the decoding server may havestored therein or may have access to one or more decoding configurationsthat have been pre-associated with the user or user class. Thesedecoding configurations represent options that may be used to decodecaptured images of different products, documents or other objects. Uponvalidating the log-on of a particular user, the decoding server mayretrieve a list of the decoding configurations associated with the userand transmit the list to the inspection processor for display to theuser. The user may then select the decoding configuration appropriatefor the object that has been captured in the digital image to bedecoded. Upon receiving the user's selection, the decoding processor maythen obtain the encoding information needed to decode the capturedimage.

A particular decoding configuration may require that the digital imagebe captured in a particular manner. For example, it may be necessarythat the image may be scanned at a particular orientation. Accordingly,at S250, scanning instructions may optionally be transmitted to theinspection processor for display. The user may then scan or otherwisecapture the digital image in the appropriate manner and upload it to thedecoding server.

At S260, the captured digital image file is received from theuser/decoding requester. At S270, the encoding information and theappropriate decoding methodology are used to process the captureddigital image and obtain a decoding result. At S280, the decoding resultis transmitted to the user where it can be displayed or printed. Anynumber of additional images may be uploaded and decoded in a particularinteractive session. At S290, a log-off request is received and themethod ends at S299.

It will be readily understood by those persons skilled in the art thatthe present invention is susceptible to broad utility and application.Many embodiments and adaptations of the present invention other thanthose herein described, as well as many variations, modifications andequivalent arrangements, will be apparent from or reasonably suggestedby the present invention and foregoing description thereof, withoutdeparting from the substance or scope of the invention.

While the foregoing illustrates and describes exemplary embodiments ofthis invention, it is to be understood that the invention is not limitedto the construction disclosed herein. The invention can be embodied inother specific forms without departing from its spirit or essentialattributes.

1. A method for determining whether an object is an authentic object towhich an expected encoded image has been applied, the expected encodedimage having been constructed by encoding an authentication image usinga set of one or more encoding parameters, the method comprising:receiving a digital image of at least a portion of the test objectincluding a target area where the expected encoded image would beapplied if the test object is an authentic object; determining the oneor more encoding parameters; and applying a digital decoding algorithmto the captured digital image to establish a decoding result.
 2. Amethod according to claim 1 wherein the actions of receiving,determining and applying are carried out by a decoding server and thedigital image is received from an inspection processor over a network.3. A method according to claim 2 wherein the network is the Internet. 4.A method according to claim 2 wherein the network is atelecommunications network.
 5. A method according to claim 1 wherein theaction of determining includes retrieving the one or more encodingparameters from an encoding information database.
 6. A method accordingto claim 1 further comprising: comparing the decoding result to objectauthentication criteria to establish an authentication result.
 7. Amethod according to claim 6 wherein the actions of receiving,determining, applying and comparing are carried out by an authenticationserver and the digital image is received from an inspection processorover a network.
 8. A method according to claim 7 wherein the digitalimage is received with a request for authentication of the object.
 9. Amethod according to claim 8 wherein the request for authenticationincludes at least one of the set consisting of object information,inspection processor information, requestor information, username andpassword information, and inspection location information.
 10. A methodaccording to claim 6 further comprising: extracting decoded indicia fromthe decoding result.
 11. A method according to claim 10 wherein theaction of comparing the decoding result includes: retrieving theauthentication image from an encoding information database; andcomparing the decoded indicia to authentication image indicia.
 12. Amethod according to claim 10 wherein the action of comparing includes:comparing the decoded indicia to object-specific information.
 13. Amethod according to claim 12 wherein the object-specific information isreceived with the digital image.
 14. A method according to claim 12wherein the object-specific information is retrieved from at least oneof the set consisting of a database, a smart card, a magnetic strip, abar code, a processor chip and a memory chip.
 15. A method according toclaim 12 wherein the object-specific information is extracted from thedigital image.
 16. A method according to claim 6 further comprising:storing in an authentication database at least one of the set consistingof the decoding result and the authentication result.
 17. A methodaccording to claim 6 further comprising: receiving a result request forthe authentication result from a monitoring processor; determiningwhether the result request is valid; and in response to a determinationthat the result request is valid, transmitting the authentication resultto the monitoring processor.
 18. A method according to claim 17 whereinthe result request is received from the monitoring processor and theauthentication result is transmitted to the monitoring processor over anetwork.
 19. A method according to claim 18 wherein the network is theInternet.
 20. A system for determining whether a test object is anauthentic object to which an expected encoded image has been applied,the expected encoded image having been constructed by encoding anauthentication image using a set of one or more encoding parameters, thesystem comprising: a digital image acquisition device adapted forcapturing a digital image of at least a portion of the test object; anda data processing system having an image receiving module adapted forreceiving the digital image from the digital image acquisition device,an encoding information database configured for storage of at least oneof the set consisting of the authentication image and the set of one ormore encoding parameters, a decoding module adapted for applying anencoded image decoding algorithm to the digital image to produce adecoding result; and an authentication module adapted for comparing thedecoding result to object authentication criteria to determine anauthentication result.
 21. A system according to claim 20 wherein thedata processing system comprises an inspection data processor thatincludes the image receiving module.
 22. A system according o claim 21wherein the inspection data processor further includes at least one ofthe set consisting of the decoding module and the authentication module.23. A system according to claim 21 wherein the inspection data processorfurther includes a data transmission module in selective communicationwith a network, the data transmission module being adapted fortransmitting the digital image over the network, and wherein the dataprocessing system further comprises an authentication server including adata receiving module in selective communication with the network andbeing adapted for receiving the digital image from the inspection dataprocessor.
 24. A system according to claim 23 wherein the authenticationserver includes at least one of the set consisting of the decodingmodule and the authentication module.
 25. A system according to claim 23wherein the data processing system further comprises a database serverincluding the encoding information database, the database server beingin selective communication with the network.
 26. A system according toclaim 20 further comprising an authentication result database adaptedfor storage of the authentication result.
 27. A system for determiningwhether a test object is an authentic object to which an expectedencoded image has been applied, the expected encoded image having beenconstructed by encoding an authentication image using a set of one ormore encoding parameters, the system comprising: at least one digitalimage acquisition device adapted for capturing a digital image of atleast a portion of the test object; at least one inspection dataprocessor comprising an image receiving module adapted for receiving thedigital image from an associated one of the at least one digital imageacquisition device, a data transmission module in selectivecommunication with a first network, the data transmission module beingadapted for transmitting the digital image over the first network; anauthentication server comprising a data receiving module in selectivecommunication with the first network and being adapted for receiving thedigital image from the at least one inspection data processor, a firstdecoding module adapted for applying an encoded image decoding algorithmto the digital image to produce a decoding result, and a firstauthentication module adapted for comparing the decoding result toobject authentication criteria to determine an authentication result;and a first database server comprising an encoding information databaseconfigured for storage of at least one of the set consisting of theauthentication image and the set of one or more encoding parameters. 28.A system according to claim 27 further comprising a second databaseserver in selective communication with the authentication server, thesecond database server including an authentication result database,wherein the second database server may be the same server as the firstdatabase server.
 29. A system according to claim 28 further comprisingan authentication monitoring processor in selective communication withthe second database server over a second network, the authenticationmonitoring processor being adapted for requesting and receivingauthentication result information from the second database server,wherein the second network may be the same network as the first network.